Transcription

1 Statement of James Sheaffer, President North American Public Sector, CSC United States House of Representatives Committee on Homeland Security Subcommittee on Cybersecurity, Infrastructure Protection, and Security Technologies October 6, 2011 Mr. Chairman, Ranking Member Clarke, and Members of the Subcommittee, it is an honor to appear before you today to discuss security implications of cloud or shared -- computing. The Subcommittee laid a good basis for today s discussion in its April 15 hearing on promoting Department of Homeland Security cybersecurity innovation and securing critical infrastructure, and its June 24 hearing on the homeland security impact of the Administration s cybersecurity proposal. I am Jim Sheaffer, President of CSC s North American Public Sector. Recently I served as Vice-Chair for the Public Sector of the TechAmerica Foundation s Commission on the Leadership Opportunity in U.S. Deployment of the Cloud (CLOUD 2 ). The mandate of the Commission was to provide recommendations on how the federal government could deploy and accelerate the adoption of cloud technologies, and to address public policies that would enable U.S. innovation in the cloud. In July, the Commission issued a report -- Cloud First, Cloud Fast -- that addresses some of the issues we are discussing today. Let me begin by offering a brief word about CSC. Last year we had revenues of just over $16 billion. Three-fifths derived from IT services provided to the private sector, and two-fifths from a range of services for the public sector. Acknowledged as a leading global provider of IT services, CSC delivers large-scale IT projects for both public and private sector clients. We provide cybersecurity to some of the world s largest companies, including critical infrastructure providers, and some of the most sensitive U.S. government agencies. Cloud Computing By leveraging shared computing resources, higher utilization rates of computing hardware, and economies of scale, cloud computing is ushering in an IT revolution which promises far lower costs while greatly improving capacity and performance. Cloud computing combines self-service provisioning of software applications and IT infrastructure with on-demand scaling of computing and storage in which users pay only for what they consume. Cloud computing and as-a-service delivery enable 1

2 organizations to slash unit costs of computing, and build capacity for rapidly growing volumes of data and burgeoning requirements for computation. Cloud computing is a hot topic. In essence, it is just the latest evolutionary step that has taken us from custom-built computers to mainframes to personal computers to clientservers, and then to the Internet. What is different about cloud computing is the accelerating pace of change, rapid adoption rates, and global nature of its use. Cloud innovation allows entrepreneurs and public sector innovators to create value at little to no capital expense in computing resources, unlike the previous waves. Cloud computing disrupts existing business models and enables wholly new ones. The explosion of mobile computing catalyzes even faster adoption of cloud computing. Cloud computing hardware can reside on-premise at an organization s facility, or offpremise, such as at an IT provider s facility. The National Institute of Standards and Technology (NIST) defines four types of environments for cloud computing: (1) Private cloud that is operated by an organization and may exist on premise or off premise; (2) Community cloud that is shared by multiple organizations related to a specific community and may exist on premise or off premise; (3) Public cloud that is available to the general public, owned by a commercial vendor and located off premise; and (4) Hybrid cloud that is a combination of two or more clouds (private, community, or public). Trust Today s tight federal budget climate offers an added incentive to agencies to adopt the cloud. But while cloud computing offers substantial benefits, such as cost savings, speed, and responsiveness to mission needs, it also raises questions of trust. Trust encompasses such concepts as security, availability, reliability, transparency to the user, and ability to extract data. The pace and degree of adoption of cloud delivery services will depend on establishing a basis of trust. This begins with understanding the risks and challenges. Can important data be entrusted to the cloud? Are there new risks and challenges to trust, especially the security of data? Let us look at the new risks and challenges to trust. One, the speed of cloud technology advancement requires new security policies, and even new technologies and procedures, to keep pace with cloud advancements. Most current knowledge about IT security is based on a world in which most computer resources are under the direct control of a person or organization and in which physical and technical means exist, including software firewalls, to control access. Moreover, the Internet was originally designed without a primary focus on security; since then computer security specialists have played catch-up. 2

3 Many of those security concepts must be reconsidered for a world in which cloud computing enables a much broader spectrum of solutions and much greater cost savings derived from the sharing of computing, storage, and network resources, bringing new economies of scale. For example, firewall technologies designed for operating inside the virtual fabric of cloud architectures -- the design of cloud computing systems -- are just now becoming available, and they remain largely untested. A second risk is that all of the required security standards for cloud computing are not yet in place. Clear, understandable, and verifiable standards are essential for building trust. The National Institute of Standards and Technology and the Cloud Security Alliance a non-profit coalition of practitioners, companies, and associations -- are conducting research and developing new cloud security standards. Third, while not specific to cloud computing but relevant to it, cyber threats are serious and dynamic -- and becoming more pernicious. Business and government alike face threats much more severe than in the past, and more likely to change and do so swiftly. Advanced Persistent Threats tend to be state-sponsored and target especially sensitive information, such as military and financial data and intellectual property. Such information lies at the heart of America s security and economic well-being. The risks and challenges to cloud computing are substantial but not insurmountable. Of fundamental importance, cybersecurity must be integral to cloud computing architectures and not be bolted-on after the fact. CSC participates in various forums that develop standards. CSC s rigorous validation and testing programs promote innovation for security solutions. On balance, we are confident that prudent cloud computing will satisfy stringent security requirements. USCYBERCOM Commander General Keith Alexander said it best to a House Armed Services Subcommittee last March: "The idea is to reduce vulnerabilities inherent in the current architecture and to exploit the advantages of cloud computing and thin-client networks, moving the programs and the data that users need away from the thousands of desktops we now use -- up to a centralized configuration that will give us wider availability of applications and data combined with tighter control over accesses and vulnerabilities and more timely mitigation of the latter." Ways to Enhance Security How should security risks and challenges be addressed? The key is to align risk profiles of varying types of data and uses with levels of protection required. Understanding the risk profiles of data being considered for the cloud is key to determining the required levels, and hence costs of security. One-size-fits-all 3

4 approaches provide neither effective security nor the lowest cost solution. Each software application and data set must be evaluated to identify its specific security requirements. For example, published scientific research may be suitable for less stringent cloud computing environments than are needed for classified intelligence data on potential terrorists. CSC is assisting federal agencies to develop roadmaps that outline risk profiles of data sets and identify appropriate cloud solutions. It will be important to gain feedback and learn lessons from implementations of cloud computing. They can help identify best practices and improve security for future uses. Federal Policy Federal policy on cloud computing and its security has evolved rapidly. In 2002 the Federal Information Security Management Act, or FISMA, came into force. It establishes a comprehensive framework designed to protect government information, operations and assets against natural and man-made threats, and requires program officials, chief information officers, and inspectors general to conduct annual reviews of information security. The Federal Risk and Authorization Management Program, or FedRAMP, was initiated in 2010 to provide a standard approach across the federal government for assessing and authorizing cloud computing services and products. A common security risk model enables the federal government to "approve once, and use often." In the 25-Point Implementation Plan to Reform Federal Information Technology Management, issued on December 9, 2010, the Office of Management and Budget called for reducing the number of federal data centers by at least 800 by 2015 and creating a federal-wide marketplace for data center availability. Curiously, not one of OMB s 25 points focused on cybersecurity. On February 9, 2011, OMB issued a Federal Cloud Computing Strategy, which gives more attention to security. It cautions that cloud security is an exercise in risk management, identifying and assessing risk, and taking the steps to reduce it to an acceptable level. Risk management based on intelligent risk assessment enhances the protection of the most valuable information and is more cost-effective than compliance-based approaches. The Federal Strategy points to several potential security benefits of cloud computing. The first is the ability of the cloud provider to focus centralized resources on security services. Second, the greater uniformity and homogeneity of the cloud platform eases security management and improves response times. A third benefit is the improved resource availability of the cloud provider through scalability, redundancy, and disaster recovery capability. Fourth are the improved backup and recovery capabilities and procedures that a cloud provider can offer. A fifth potential benefit of cloud computing is the ability to leverage, as needed, services from other data centers. 4

5 At the same time, the Federal Strategy highlights potential vulnerabilities of cloud computing. One is the inherent system complexity of a cloud computing environment. A second vulnerability is dependency on the service provider to maintain secure logical separation in a shared computing resource, or what is called a multi-tenant environment. A third potential vulnerability is the cloud user s need to have sufficient knowledge of potential threats and vulnerabilities to know how to make decisions and set priorities on security and privacy. Increasing experience in the implementation of cloud computing, with careful attention to security, will help validate and refine our collective understanding of its benefits and risks. The Department of Homeland Security is laudably reaching out across the federal government and the private sector to foster a more secure and resilient cybersecurity environment. The DHS Chief information Officer is leaning forward to show leadership in cloud adoption. In moving data from twenty-two separate components into the primary DHS Stennis data center and a secondary backup center, DHS has increased the productivity of its capital investment in computing. While migrating into the two consolidated data centers, DHS has also implemented a private cloud behind a DHS-controlled firewall and security systems. As new security standards are developed and effectively verified, more data will be ready to move to the cloud. In addition to private cloud implementation, DHS is moving certain public-facing websites, such as DHS.gov and FEMA.gov, into a public cloud in order to increase efficiency and productivity. DHS is an early and prudent adopter of cloud computing and its experience may be instructive for others. Cloud Examples Let me outline three examples of how cloud computing can be implemented in a homeland security context. First, CSC helps a global chemical company that is part of America s critical infrastructure. Its research unit must allow access to scientists and others from inside and outside the company to foster collaboration for new discoveries. Researchers require high performance computing and surge IT capacity, and they store highly sensitive intellectual property. The research unit must accommodate projects that start and stop abruptly and then restart. CSC has installed a private cloud that the chemical company manages to satisfy its own special security requirements. The company has deployed cloud access at each of its laboratories around the world, and CSC federates and orchestrates cloud services across the chemical company s global IT infrastructure. 5

6 In a second example, DHS wanted more responsive computing. It opted for cloud computing for the development and testing of new computer application systems. This eliminates costly and time-consuming tasks of procuring, installing, and testing new computer hardware and software every time a software development team starts a new project. To support DHS, CSC designed and is implementing a private cloud that will reduce the time to provision new development and test environments from months to just a couple of days. We are also assisting with a strategy and plan for helping DHS encourage management and cultural changes required to take best advantage of the cloud. A third example is the potential for increased use of unmanned aerial vehicles to help DHS monitor U.S. borders. Evolving technology will allow aerial platforms to collect greatly increasing amounts of ground imagery. As this develops, cloud computing could assist DHS to expand data collection and processing while holding down computing costs. Recommendations I wish to call special attention to four important recommendations from the TechAmerica Commission Report, and offer a fifth recommendation. First, the federal government and the private sector should support the creation of international standardized frameworks for securing, assessing, certifying, and accrediting cloud computing. Second, the public sector and the federal government should accelerate the development of an identify management ecosystem to facilitate the adoption of strong authentication technologies, enabling more secure access to cloud services and websites. Third, a law is needed to clarify responsibilities of companies to notify customers in the event of data breaches, and strengthened criminal laws are required against those who attack computer systems, including cloud services. Fourth, the federal government and the private sector should develop and execute a more robust joint research agenda for cloud computing. Fifth, verification and continuous monitoring of cloud security ought to be standardized. Independent, professional third-party audit of cloud providers should become standard practice, along with real-time transparency in the security posture of cloud-based systems. 6

7 Conclusion In conclusion, as the use of cloud computing accelerates, better security must go handin-hand with saving money and improving performance. Cybersecurity must be integrated into cloud computing architectures at the outset, rather than be left to catch up. This will enhance trust in the information revolution that underlies so much of America s prosperity and homeland security. I welcome your questions and comments. Thank you. 7

WRITTEN TESTIMONY OF NICKLOUS COMBS CHIEF TECHNOLOGY OFFICER, EMC FEDERAL ON CLOUD COMPUTING: BENEFITS AND RISKS MOVING FEDERAL IT INTO THE CLOUD BEFORE THE COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM

STATEMENT OF Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration BEFORE THE HOUSE COMMITTEE ON HOMELAND SECURITY SUBCOMMITTEE

STATEMENT OF Dr. David McClure Associate Administrator Office of Citizen Services and Innovative Technologies General Services Administration BEFORE THE HOUSE SCIENCE, SPACE AND TECHNOLOGY COMMITTEE SUBCOMMITTEE

U.S. HOUSE OF REPRESENTATIVES SUBCOMMITTEE ON TECHNOLOGY AND INNOVATION COMMITTEE ON SCIENCE, SPACE, AND TECHNOLOGY HEARING CHARTER The Next IT Revolution?: Cloud Computing Opportunities and Challenges

Written Testimony of Mark Kneidinger Director, Federal Network Resilience Office of Cybersecurity and Communications U.S. Department of Homeland Security Before the U.S. House of Representatives Committee

Concurrent Technologies Corporation (CTC) is an independent, nonprofit, applied scientific research and development professional services organization providing innovative management and technology-based

Trust Cisco to Protect Your Data As cloud adoption accelerates, organizations are increasingly placing their trust in third-party cloud service providers (CSPs). But can you fully trust your most sensitive

The silver lining: Getting value and mitigating risk in cloud computing Frequently asked questions The cloud is here to stay. And given its decreased costs and increased business agility, organizations

Services Overview Cisco Cloud Enablement Services for Education Bringing the Cloud to the Campus In today s higher education environment, IT organizations must keep pace with a long list of competing demands:

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL WHAT IS CDM? The continuous stream of high profile cybersecurity breaches demonstrates the need to move beyond purely periodic, compliance-based approaches to

Deputy Chief Financial Officer Peggy Sherry And Chief Information Security Officer Robert West U.S. Department of Homeland Security Testimony Before the Subcommittee on Government Organization, Efficiency

VMware Hybrid Cloud Accelerate Your Time to Value Fulfilling the Promise of Hybrid Cloud Computing Through 2020, the most common use of cloud services will be a hybrid model combining on-premises and external

Defining Data Security in 2015 and Beyond What you need to know about physical and virtual data security in a complex business environment Colocation Managed Cloud & Hosting Services Business Continuity

WWT View Point Journey to the Private Cloud: Take the First Steps with FlexPod TABLE OF CONTENTS 1...EXECUTIVE OVERVIEW 2...SECTION 1: THE ROAD TO PRIVATE CLOUDS 3...SECTION 2: START WITH A STABLE INTEGRATED

Cybersecurity and internal audit August 15, 2014 arket insights: what we are seeing so far? 60% of organizations see increased risk from using social networking, cloud computing and personal mobile devices

UNITED STATES OFFICE OF PERSONNEL MANAGEMENT STATEMENT OF THE HONORABLE KATHERINE ARCHULETA DIRECTOR U.S. OFFICE OF PERSONNEL MANAGEMENT before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

GOVERNMENT USE OF MOBILE TECHNOLOGY Barriers, Opportunities, and Gap Analysis DECEMBER 2012 Product of the Digital Services Advisory Group and Federal Chief Information Officers Council Contents Introduction...

Securing the Microsoft Cloud Page 1 Securing the Microsoft Cloud Microsoft recognizes that trust is necessary for organizations and customers to fully embrace and benefit from cloud services. We are committed

Concept of Operations (CONOPS) Version 1.0 February 7, 2012 Overview Cloud computing technology allows the Federal Government to address demand from citizens for better, faster services and to save resources,

FREQUENTLY ASKED QUESTIONS Continuous Monitoring 1. What is continuous monitoring? Continuous monitoring is one of six steps in the Risk Management Framework (RMF) described in NIST Special Publication

APPLYING LESSONS LEARNED TO FEDERAL CLOUD COMPUTING WHAT DO FEDERAL LEADERS THINK OF THEIR AGENCIES PROGRESS IN IMPLEMENTING CLOUD COMPUTING, AND WHAT CAN AGENCIES DO TO OVERCOME THEIR ONGOING OBSTACLES?

3 NREN and its Users The NREN s core activities are in providing network and associated services to its user community that usually comprises: Higher education institutions and possibly other levels of

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education Before the U.S. House Oversight and Government Reform Committee Hearing on Agency Compliance with the Federal Information

The Massachusetts Open Cloud (MOC) October 11, 2012 Abstract The Massachusetts open cloud is a new non-profit open public cloud that will be hosted (primarily) at the MGHPCC data center. Its mission is

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE HOUSE OVERSIGHT AND GOVERNMENT REFORM COMMITTEE S INFORMATION TECHNOLOGY SUBCOMMITTEE AND THE VETERANS

GAO For Release on Delivery Expected at 10:00 a.m. EDT Thursday, October 6, 2011 United States Government Accountability Office Testimony Before the Subcommittee on Cybersecurity, Infrastructure Protection,

White Paper Unlock the Promise of Cloud: A Strategic Perspective Introduction: Keeping Pace in a Changing World In today s fast-moving environment, change is the only constant. To stay ahead of your competition,

EXECUTIVE STRATEGY BRIEF Microsoft recognizes that security and privacy protections are essential to building the necessary customer trust for cloud computing to reach its full potential. This strategy

Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest

Data Sheet Cisco Optimization s Optimize Your Solution using Cisco Expertise and Leading Practices Optimizing Your Business Architecture Today, enabling business innovation and agility is about being able

GAO For Release on Delivery Expected at 10:00 a.m. EDT Thursday, July 1, 2010 United States Government Accountability Office Testimony Before the Committee on Oversight and Government Reform and Its Subcommittee

BUILDING THE CASE FOR CLOUD: HOW BUSINESS FUNCTIONS IN UK MANUFACTURERS ARE DRIVING PUBLIC CLOUD ADOPTION Industry Report Contents 2 4 6 Executive Summary Context for the Sector Key Findings 3 5 9 About

Statement of Scott Charney Corporate Vice President, Trustworthy Computing Microsoft Corporation Adapting to the Cloud Testimony Before the Committee on Oversight and Government Reform and the Subcommittee

Statement of Michael Capellas Co-Chair Commission on the Leadership Opportunity in U.S. Deployment of the Cloud (CLOUD 2 ) The Next IT Revolution? Cloud Computing Opportunities and Challenges. Before the

INDUSTRY PERSPECTIVE 1 A Brief Introduction As IT administrators and chief information officers, you face a particular challenge: facilitate the ability for your agency to work remotely, while reducing

TESTIMONY OF Richard A. Spires Chief Information Officer U.S. Department of Homeland Security Before the House Committee on Oversight and Government Reform February 27, 2013 Chairman Issa, Ranking Member

Duck Creek On-Demand Ever wonder how your business could benefit from cloud computing? Wonder no more. Once considered an emerging technology, cloud computing is now being used by businesses in all industries

SAP Thought Leadership Paper Helping the U.S. Government Serve the American People Better Helping the U.S. Government Serve the American People Better innovating with less: the cornerstone of the Digital

To kindle interest in economic affairs... To empower the student community... Open YAccess www.sib.co.in ho2099@sib.co.in A monthly publication from South Indian Bank 20 th Year of Publication Experience

DHS CMSI Webinar Series Renee Forney Executive Director As the Executive Director for the Cyberskills Management Support Initiative (CMSI), Ms. Forney supports the Undersecretary for Management (USM) for

Radware ADC-VX Solution The Agility of Virtual; The Predictability of Physical Table of Contents General... 3 Virtualization and consolidation trends in the data centers... 3 How virtualization and consolidation

DEPARTMENT OF HOMELAND SECURITY Funding Highlights: Provides $43.2 billion, an increase of $309 million above the 2010 enacted level. Increases were made in core homeland security functions such as border

Accenture cloud application migration services A smarter way to get to the cloud Cloud computing can help make your apps extraordinarily agile and scalable. You know this. Your competitors know this. And

Seeing Though the Clouds A PM Primer on Cloud Computing and Security NIH Project Management Community Meeting Mark L Silverman Are You Smarter Than a 5 Year Old? 1 Cloud First Policy Cloud First When evaluating

A HYBRID STORY: CLOUD STORAGE AND EMAIL ARCHIVING C2C Systems 2013 www.c2c.co.uk Abstract Table of Contents Adoption of cloud computing is growing rapidly and IT managers are under pressure to make decisions

Cyber Side-Effects: How Secure is the Personal Information Entered into the Flawed Healthcare.gov? Statement for the Record Roberta Stempfley Acting Assistant Secretary for Cybersecurity and Communications

Testimony of Dan Nutkis CEO of HITRUST Alliance Before the Oversight and Government Reform Committee, Subcommittee on Information Technology Hearing entitled: Cybersecurity: The Evolving Nature of Cyber

Statement of Gil Vega Associate Chief Information Officer for Cybersecurity and Chief Information Security Officer U.S. Department of Energy Before the Subcommittee on Oversight and Investigations Committee

Business Continuity and Compliance with Confidence with Cisco Powered Disaster Recovery as a Service (DRaaS) Business Continuity Is Essential How are you protecting your workloads from a disaster? In the

SOLUTION BRIEF VMware Solutions for Small and Midsize Business Protect Your Business, Simplify and Save on IT, and Empower Your Employees AT A GLANCE VMware is a leader in virtualization and cloud infrastructure

Services Flying into the Cloud: Do You Need a Navigator? Colin R. Chasler Vice President Solutions Architecture Dell Services Federal Government Table of Contents Executive Summary... 3 Current IT Challenges...

SkySight: New Capabilities to Accelerate Your Journey to the Cloud There is no longer any question about the business value of the cloud model. The new question is how to expedite the transition from strategy

Radware ADC-VX Solution The Agility of Virtual; The Predictability of Physical Table of Contents General... 3 Virtualization and consolidation trends in the data centers... 3 How virtualization and consolidation

A Guide to Hybrid Cloud An inside-out approach for extending your data center to the cloud Inside INTRODUCTION Create a Flexible IT Environment With Hybrid Cloud CHAPTER 1 Common Business Drivers for Hybrid